Appeals Court Says Emails Are Protected By The 4th Amendment

from the good-news dept

There have been a bunch of court cases recently that have explored the question of whether or not emails stored by your ISP were protected by the 4th Amendment. Some have made the argument that "stored communication" is not protected by the 4th Amendment due to the "third party doctrine," whereby you effectively give up your 4th Amendment rights because you've provided your data to someone else. Different courts have sorta bounced this topic around, ruling in a variety of different ways, while often punting on answering the question directly.

Email is the technological scion of tangible mail, and it plays an indispensable part in the Information Age. Over the last decade, email has become "so pervasive that some persons may consider [it] to be [an] essential means or necessary instrument[] for self-expression, even self-identification." Quon, 130 S. Ct. at 2630. It follows that email requires strong protection under the Fourth Amendment; otherwise, the Fourth Amendment would prove an ineffective guardian of private communication, an essential purpose it has long been recognized to serve. See U.S. Dist. Court, 407 U.S. at 313; United States v. Waller, 581 F.2d 585, 587 (6th Cir. 1978) (noting the Fourth Amendment's role in protecting "private communications"). As some forms of communication begin to diminish, the Fourth Amendment must recognize and protect nascent ones that arise. See Warshak I, 490 F.3d at 473 ("It goes without saying that like the telephone earlier in our history, e-mail is an ever-increasing mode of private communication, and protecting shared communications through this medium is as important to Fourth Amendment principles today as protecting telephone conversations has been in the past.").

If we accept that an email is analogous to a letter or a phone call, it is manifest that agents of the government cannot compel a commercial ISP to turn over the contents of an email without triggering the Fourth Amendment. An ISP is the intermediary that makes email communication possible. Emails must pass through an ISP's servers to reach their intended recipient. Thus, the ISP is the functional equivalent of a post office or a telephone company. As we have discussed above, the police may not storm the post office and intercept a letter, and they are likewise forbidden from using the phone system to make a clandestine recording of a telephone call--unless they get a warrant, that is. See Jacobsen, 466 U.S. at 114; Katz, 389 U.S. at 353. It only stands to reason that, if government agents compel an ISP to surrender the contents of a subscriber's emails, those agents have thereby conducted a Fourth Amendment search, which necessitates compliance with the warrant requirement absent some exception.

Of course, it's worth pointing out that while this court says the government is forbidden from wiretapping without a warrant, our government has decided it can ignore that rule, so don't be surprised if it ignores this one too...

I am surprised they did not try to use the "ISP = post office" (or, more specifically, "MTA = post office") analogy before. It is the most obvious analogy in this problem space.

E-mail = "snail" mail
E-mail envelope (has only the return address and the real destinations) = "snail" mail envelope
MTAs (Mail Transfer Agents) = post offices
E-mail servers = buildings with post offices in them
Your E-mail inbox on the server = PO box
Internet connections = whatever they use to move the mails around (in the Internet case, it is not a truck, but a series of tubes)

The transport of email is given over to any number of private companies and individuals. The very distributed nature of the internet for transport of data by definition makes that data somewhat less than private. The presence of a 3rd party sort of negates much of the privacy. The administration of any email system can easily read any of the messages pending in their system (because they are not generally encoded). Those pending emails might be copied onto backup tapes, etc.

Most importantly, email is not a secure transmission method. There is no way to assure that the message is not tampered with, copied, duplicated or otherwise shared. It is more akin to passing a note in your class room from hand to hand, with maybe two or three people in the middle reading it on the way. There is no way to know.

What is on your computer is private. What is in someone else's possession, well... not so sure.

Re:

The main difference, of course, being that the letter is replicated at each step, and sometimes those replicas are stored in logs

(I still fully agree with the conclusion that they should be protected - but that is the main difference in the analogy, as it is in just about every comparison between the digital and physical realms)

Re: More than likely, this one will get overturned.

I won't argue that it may get overturned due to political pressure ... in this case reading through the actual ruling is very insightful. They do make parallels where a regular letter isn't secured physically (just a thin envelope) and handled by many letter carriers who could easily open it, and with telephonic communications where where you have a reasonable expectation of privacy even though a 3rd party is handling and could listen to the transmission. Good reading.http://www.ca6.uscourts.gov/opinions.pdf/10a0377p-06.pdf to be redundant.

Re:

That is the other way of looking at it, yes - but the point isn't that either view is more accurate than the other, but that one view preserves the spirit and intent of the fourth amendment while the other doesn't. You can't just read the law in a way that cripples part of the constitution and say "Well too bad, that's that" - when it happens, it's a sign that either your reading is flawed or the law needs to be updated.

Re:

Most importantly, email is not a secure transmission method. There is no way to assure that the message is not tampered with, copied, duplicated or otherwise shared.

If it's not encrypted and cryptographically signed, true. If it is -- then the ability of an interloper to do this depends on the strength of the encryption algorithm.

However, worth noting is that mail envelope data is present in the clear at any MTA handling the message -- because it has to be. Thus, even if mail submission, transmission, and retrieval are all set up to encrypted protocols on the wire, anyone with access to the submission, transmission or delivery MTAs can recovery that metadata. This is in turn facilitates traffic analysis, e.g., "who's talking to who?" along with frequency measurement ("how often are they talking?") and to a limited degree volume measurement ("how much are they saying?" -- easily frustrated by attaching random junk to every message).

All that said, the increasing adoption of encryption at the MUA as well as the use of on-the-wire encryption are both good things; it's just that we're long overdue in deploying them.

Likely to be overturned

The third party doctrine is pretty solid precedent, and there is no reason that it shouldn't apply to e-mail, and this decision, while it tried to connect some dots, just didn't make the case.

If you store your stuff in my house and I have a key to the room its in, I can let the cops search it just because. If your e-mail is on my server and it isn't encrypted with a key I don't have, I can give it to the cops. In both cases, if I choose not to give it to the cops, I can be compelled to by subpoena and subject to contempt if I do not comply.

If you think that the police can't search your mail via the US postal service, try and send yourself an envelope full of weed and see what happens.

I always say, don't send anything via e-mail that you don't want the world to know, because e-mail is not and never will be private communications.

Private communication is still private regardless of form

I think this ruling is important and should be upheld considering how important email has become. I regularly send information that could be considered confidential. I do what I can by using initials but nonetheless someone could gather quite a bit of info they shouldn't be in possession of if they intercepted or read my private emails.

I think there is most definitely an expectation of privacy regardless of email not being encrypted or protected in any real way. I don't see how we can rationalize allowing anyone, regardless of government authority, to pilfer through private emails without something along the lines of a search warrant.

Better to beg for forgiveness than ask for permission

while this court says the government is forbidden from wiretapping without a warrant, our government has decided it can ignore that rule, so don't be surprised if it ignores this one too...

We see that indeed whether the gov't knew or not, so long as they make appearances to have acted in good faith, breaking the law might just be incidental. From the decision, here's the excerpt that leaves something to the imagination:

We find that the government did violate Warshak’s Fourth Amendment rights by compelling his Internet Service Provider (“ISP”) to turn over the contents of his emails. However, we agree that agents relied on the SCA in good faith, and therefore hold that reversal is unwarranted.

"Oops, sorry, we violated your rights by picking the wrong laws, but hey we found something so you should be punished anyway. You can trust us, we would never do anything to cause you harm....on purpose." ;)

Re: Fourth Amendment to what?

Re: Private communication is still private regardless of form

Maybe it is just because I know a bit about hosted e-mail, and some of the legal issues involved, I've done some technical consulting in that area, but even before that, I've always assumed that any data of mine on a server that I don't control is essentially public. I suppose it is the geek in me, but a person's ignorance about the technology they use daily does not equal an expectation of privacy.

This might have more significance if...

This might have more significance if we hadn't just lived through ten years of warrantless wiretapping and were not currently getting virtual strip searches and government-funded molestations at the airports. The fourth amendment has been all-but-dead for a while now.

wont make any difference whatsoever. the government will still do what it wants to do, just as it always does! no one cares about a persons rights at all. we are fast heading towards the type of society that millions died for preventing, ie one where everything we do is watched, documented and recorded so it can be used against us, as and when it is felt like! here comes 1984, with a vengeance! hope you all enjoy it!

to what extent can you expect privacy ...

If I were to say out loud in a coffee shop I like girls, how private is that? Someone sitting two table over might hear & repeat the statement. Email is like that ... Unless you encrypt the data how much privacy do you actually believe you have?

Now if the email is encrypted, then I believe you have the right to expect privacy ...

Legal versus Physical protection

About half the comments to this story confuse the legal protection (Who is allowed to read it, or at least try) with the physical protection (Who has the ability to read it, if they don't mind breaking the law).

Examples with physical mail:

If you place a letter in a self-destruction envelope, put it in a steel vault, weld the door shut and surround it with a giant army, a warrant still entitles the police to read it to the best of their ability.

If you write something on a postcard and put it in an unlocked mailbox at the roadside (as is common in the US), it is still a letter protected by the law and the police still need a warrant to open the lid and read it.

Comparing these two scenarios to e-mail, I get this, as did the court:

Encrypting e-mail is like the guarded strongbox with the self-destruction envelope, it may physically stop the police, but does not protect you from the Law.

The trivial need to issue some kind of command to the ISP mail server to grab an unencrypted e-mail is like the trivial need to open the lid on a roadside mailbox. Not enough to stop any passer by from reading your mail, but just enough to implicitly tell law abiding people to stop snooping unless they have a warrant AND a badge.